what’s new in fireware xtm v11.9 watchguard training

110
What’s New in What’s New in Fireware XTM v11.9 Fireware XTM v11.9 WatchGuard Training

Upload: juniper-may

Post on 31-Dec-2015

229 views

Category:

Documents


6 download

TRANSCRIPT

Page 1: What’s New in Fireware XTM v11.9 WatchGuard Training

What’s New in What’s New in Fireware XTM v11.9Fireware XTM v11.9

WatchGuard Training

Page 2: What’s New in Fireware XTM v11.9 WatchGuard Training

What’s New in v11.9What’s New in v11.9

APT Blocker — new security service Data Loss Prevention (DLP) Custom Rule OS Compatibility Settings Traffic Management• Feature redesign

• New monitoring options Custom interface / security zone Gateway Wireless Controller and Wireless AP updates• Wireless coverage map and channel conflict map

• Control over DFS and channel limitations, transmit rate and power

• Support for AP102 indoor/outdoor access point

• Updated AP firmware 1.2.9.1

• Enhancements to AP device management and monitoring XTM built-in wireless access points as independent interfaces

WatchGuard Training 22

Page 3: What’s New in Fireware XTM v11.9 WatchGuard Training

What’s New in v11.9What’s New in v11.9

IPSec VPN• Support for Diffie-Hellman groups 14, 15, 19, and 20

• Ability to enable/disable Branch Office VPNs Mobile VPN with SSL• Domain list on the Mobile VPN with SSL authentication page

• Mobile VPN with SSL automatic reconnect setting

• Bridge VPN Traffic now requires a LAN bridge

• SHA is no longer supported FireCluster enhancements• Web UI support for FireCluster

• Control monitored interfaces in an active/passive cluster

• PPPoE support on a FireCluster external interface

• Cluster management interface can be a bridge or VLAN interface

WatchGuard Training 33

Page 4: What’s New in Fireware XTM v11.9 WatchGuard Training

What’s New in v11.9What’s New in v11.9

Authentication enhancements• User lock out option for hotspots

• Authentication server timeout option, with PhoneFactor authentication support

IPv6 support• IPv6 in Bridge, Link Aggregation, and VLAN interfaces

• IPv6 dynamic routing protocols

• IPv6 6-in-4 tunnel routes through a BOVPN virtual interface Role-based device management user accounts for device access &

Audit Trail reports Logging enhancements

• Integration with IBM’s SIEM system, QRadar

• SSO component log files Device Configuration Template enhancements

• Inheritance Settings for APT Blocker

• WebBlocker profile support for Firebox T10

WatchGuard Training 44

Page 5: What’s New in Fireware XTM v11.9 WatchGuard Training

What’s New in v11.9What’s New in v11.9

Other enhancements• Device feedback enhancements

• Wireless interfaces chart on the Bandwidth page in the Web UI

• Static ARP configuration in the Web UI

• Static ARP for Bridge, VLAN, and Link Aggregation interfaces

• Support for DHCP option 50

• Support for OSPF ECMP

WatchGuard Training 55

Page 6: What’s New in Fireware XTM v11.9 WatchGuard Training

APT BlockerAPT Blocker

WatchGuard Training 66

Page 7: What’s New in Fireware XTM v11.9 WatchGuard Training

APT BlockerAPT Blocker

WatchGuard Training 77

What is an APT (Advanced Persistent Threat)?• APTs leverage the latest targeted malware techniques and zero-day

exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network.

• Designed to gain access to networks and access confidential data over extended periods of time.

• APTs are highly sophisticated and often target specific high-profile institutions such as government or financial-sector companies

• APT use has now expanded to target smaller networks and lower profile organizations.

• Traditional signature-based scan techniques do not provide adequate protection against APTs.

Page 8: What’s New in Fireware XTM v11.9 WatchGuard Training

APT BlockerAPT Blocker

WatchGuard Training 88

APT Blocker is a subscription service that uses best-of-breed full-system emulation analysis by our solution partner Lastline.

Lastline cloud performs file analysis in a sandbox environment to identify the characteristics and behavior of advanced malware in files and email attachments.

Includes full system emulation that goes beyond simple detection techniques to simulate a physical and software environment to analyze the deepest level of advanced malware activity.

Full system emulation ensures that advanced malware does not detect and evade the analysis.

Page 9: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker — How Does it WorkAPT Blocker — How Does it Work

WatchGuard Training 99

Files that enter your network are scanned and an MD5 hash of the file is generated.

This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS where it is compared to a database of analyzed files and results are returned immediately.

If the analysis results in a match to a known malware threat, you can take immediate action on the file.

If there is no match with the available data center analysis results, this means the specific file has never been seen or analyzed before. • In this case the actual file is submitted to the Lastline data center where

the file undergoes deep analysis for advanced malware activity.

• This analysis occurs at the same time as the file transfer and the connection is passed though while the device waits for the result of the analysis.

• The result is returned in minutes, and if there is evidence of malware activity in the file, your WatchGuard Firebox or XTM device can generate an alarm notification.

Page 10: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker — Supported Proxies and File TypesAPT Blocker — Supported Proxies and File Types

WatchGuard Training 1010

APT Blocker can scan files for the HTTP, FTP, and SMTP proxies. APT Blocker can scan these file types:• Windows PE (Portable Executable) files.

Includes Windows XP and Windows 7/8 files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions.

• Adobe PDF documents

• Microsoft Office documents

• Rich Text Format (RTF) documents

• Android executable files (.apk) APT Blocker can also examine files within these compressed

archives:• gzip

• tar

• zip

Page 11: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker & Other Security ServicesAPT Blocker & Other Security Services

WatchGuard Training 1111

APT Blocker combines with these other security services on your Firebox or XTM device to provide additional layers of defense against network threats:

• Gateway AntiVirus

• Reputation Enabled Defense (RED)

• WebBlocker

Page 12: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker & Gateway Anti-VirusAPT Blocker & Gateway Anti-Virus

WatchGuard Training 1212

APT Blocker utilizes the same scanning process as Gateway Anti-Virus.

You must have Gateway Anti-Virus enabled to enable APT Blocker on a specific proxy.

Files are scanned by Gateway Anti-Virus before they are scanned by APT Blocker.

Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker.

You can customize which file types you want scanned by APT in the Gateway Anti-Virus configuration.

If the Gateway Anti-Virus scan is enabled on a specific file/content type in the configuration, APT will scan the file as long as the file type is supported by APT.

Page 13: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker & Gateway Anti-Virus Scan LimitsAPT Blocker & Gateway Anti-Virus Scan Limits

WatchGuard Training 1313

APT Blocker cannot scan or analyze partial files. Although APT Blocker cannot scan partial files, most malware is

delivered in files smaller than 1 MB in size. APT Blocker scan limits are based on the scan limits set in the

Gateway AntiVirus configuration. The default and maximum scan limits vary by Firebox or

XTM device model. The default scan limit for most Firebox and XTM devices is 1 MB.

Firebox T10 and XTM 2 Series have a default of 512 KB. You can increase the scan limit to scan larger files for increased

protection, but this uses more system memory and it could result in fewer concurrent connections through the appliance.

The maximum file size allowed for APT Blocker is 8 MB.

Page 14: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker & Reputation Enabled Defense (RED)APT Blocker & Reputation Enabled Defense (RED)

WatchGuard Training 1414

WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score between 1 and 100 to every URL.

WatchGuard recommends that you do not enable the Bypass any configured virus scanning for URLs that have a good reputation option in the Reputation Enabled Defense configuration.

This ensures that all traffic is scanned by Gateway AntiVirus and APT Blocker.

Page 15: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker & WebBlockerAPT Blocker & WebBlocker

WatchGuard Training 1515

An important defense against advanced malware is to detect botnet activity and any command and control traffic from inside your network to external servers.

WebBlocker uses a database of web site addresses (identified by content categories) to allow or block web site traffic.

WatchGuard recommends that you configure the WebBlocker service to block traffic for these security URL categories to detect and prevent this type of activity:

• Malicious Embedded Link• Malicious Embedded iFrame• Mobile Malware• Advanced Malware Command and

Control• Elevated Exposure• Emerging Exploits• Potentially Damaging Content• Dynamic DNS

• Security• Malicious Web Sites• Spyware• Phishing and Other Frauds• Keyloggers• Potentially Unwanted Software• Bot Networks• Suspicious Embedded Link

Page 16: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker — ConfigurationAPT Blocker — Configuration

WatchGuard Training 1616

APT Blocker categorizes APT activity based on the severity of the threat:• High

• Medium

• Low All threat levels are considered

malware. Higher levels have more significant

indicators of malware. For each threat level, you can assign an

action:• Allow

• Drop (SMTP proxy strips attachment)

• Block (SMTP proxy strips attachment)

• Quarantine (SMTP only, HTTP/FTP drops connection)

Enable notification and log settings to make sure you are notified of malware activity.

Page 17: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker — Enable in a PolicyAPT Blocker — Enable in a Policy

WatchGuard Training 1717

You can enable or disable APT Blocker for a specific policy in the APT Blocker configuration or when you edit a proxy action.

Page 18: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker — Notifications & Log MessagesAPT Blocker — Notifications & Log Messages

WatchGuard Training 1818

APT Blocker uses email notification alerts to notify the administrator of APT threats.

Log analysis provides APT Blocker detailed information about the threat.

Page 19: What’s New in Fireware XTM v11.9 WatchGuard Training

APT Blocker ReportsAPT Blocker Reports

WatchGuard Training 1919

WatchGuard Dimension v1.2 provides support for APT Blocker reports.

Page 20: What’s New in Fireware XTM v11.9 WatchGuard Training

DLP Custom RuleDLP Custom Rule

WatchGuard Training 2020

Page 21: What’s New in Fireware XTM v11.9 WatchGuard Training

DLP Custom RuleDLP Custom Rule

You can now add a custom rule to your DLP configuration.

Allows you to customize your DLP configuration beyond the predefined rules.

You can scan your network traffic for special phrases specific to your organization.

For example, use email and document security classifications with your custom rule to prevent sensitive messages and documents from leaving your network.

WatchGuard Training 2121

Page 22: What’s New in Fireware XTM v11.9 WatchGuard Training

DLP Custom Rule Configuration NotesDLP Custom Rule Configuration Notes

WatchGuard Training 2222

You can only create a single custom rule The custom rule can contain multiple words and phrases that you

want to monitor or control. Each phrase can be up to 127 characters in length.

• Note that long phrase lengths can impact system performance. No limit to number of phrases, but a large number of phrases in

your custom rule can impact system performance. • We recommend you use at maximum 15 phrases within a custom rule.

Phrases must consist of Unicode characters in the Basic Multilingual Plane (BMP) only. The BMP is the first 65,536 characters in Unicode.• This covers most major language character sets.

Only simple text matching is performed. Regular expressions are not supported.

Text matching is case-insensitive.

Page 23: What’s New in Fireware XTM v11.9 WatchGuard Training

Configure a DLP Custom RuleConfigure a DLP Custom Rule

WatchGuard Training 2323

In the DLP configuration, select the Custom Rule tab.

Type a descriptive name for the Custom Rule.

Type a list of phrases, one phrase per line.

Page 24: What’s New in Fireware XTM v11.9 WatchGuard Training

Enable the Custom Rule for a DLP SensorEnable the Custom Rule for a DLP Sensor

Enable your custom rule that contains the phrases you want to monitor and control in the configuration for a DLP sensor.

WatchGuard Training 2424

Page 25: What’s New in Fireware XTM v11.9 WatchGuard Training

DLP Custom RuleDLP Custom Rule

You can then enable the DLP sensor for each policy as required.

WatchGuard Training 2525

Page 26: What’s New in Fireware XTM v11.9 WatchGuard Training

OS Compatibility OS Compatibility

WatchGuard Training 2626

Page 27: What’s New in Fireware XTM v11.9 WatchGuard Training

OS Compatibility SettingOS Compatibility Setting

WatchGuard Training 2727

Policy Manager now has an OS Compatibility setting that controls the which options are available for some features.

If you use Policy Manager to open the configuration from a device, the Fireware XTM version is automatically set based on the OS version the device uses.

For a new configuration file, you must select the Fireware XTM version before you can configure some features, such as network settings and Traffic Management. • Policy Manager automatically takes you to

the OS Compatibility dialog box, when needed.

• Or you can select Setup > OS Compatibility.

Page 28: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Traffic Management

WatchGuard Training 2828

Page 29: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management EnhancementsTraffic Management Enhancements

Traffic Management functionality has been completely redesigned in v11.9.

Key differences from v11.8 and all previous versions: • Traffic Management actions are not tied to a physical XTM device

interface. The interface in the policy determines which interface an action applies to. Traffic Management actions can apply to all interface types, including VLAN,

Bridge, link aggregation, and wireless interfaces, which were not supported before.

• There are three Traffic Management action types.

• A policy uses different Traffic Management actions for forward and reverse traffic.

• You can apply Traffic Management actions to applications and application categories, in addition to policies.

• The new Traffic Management tab in Firebox System Manager shows detailed statistics for each traffic management action by policy and application.

WatchGuard Training 2929

Page 30: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use CasesTraffic Management Use Cases

The Traffic Management settings in v11.9 support a wide variety of use cases such as these:• Limit HTTP for all users on the Trusted interface; allow 2 Mbps

maximum download bandwidth, and 1 Mbps upload bandwidth.

• Guarantee 10 Mbps throughput for HTTP traffic for a specific user.

• Set a maximum and guaranteed bandwidth for each IP address, without creating a separate policy for each user.

• Limit or guarantee the bandwidth used by specific applications.

• Limit HTTP bandwidth for a group to 2 Mbit per user in the group. But limit the bandwidth used by streaming media applications to 100 Kbit per user.

The configuration for each use case is described at the end of this section.

WatchGuard Training 3030

Page 31: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management and Configuration UpgradeTraffic Management and Configuration Upgrade

When you upgrade a configuration from v11.8.x or lower to v11.9, any existing traffic management actions are removed.

Because the redesigned traffic management feature works so differently, there is no equivalent v11.9 traffic management action to convert to.

Policy Manager shows different options for Traffic Management actions based on the OS Compatibility setting.

WatchGuard Training 3131

Page 32: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Action ConfigurationTraffic Management Action Configuration

To create a new Traffic Management action:• Select Setup > Actions > Traffic Management. Click Add.

• If prompted for OS Compatibility, select 11.9 or higher. Select the action Type• All Policies — Applies to the combined bandwidth of all policies that

use it

• Per Policy — Applies individually to each policy that uses it

• Per IP Address — Applies individually to each client source IP address Configure the action settings• Maximum bandwidth

• Guaranteed bandwidth

• Maximum instance (Per IP Address actions only)

WatchGuard Training 3232

Page 33: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Action SettingsTraffic Management Action Settings

Maximum Bandwidth• The maximum amount of bandwidth to allocate for traffic that uses to

this action.

• If set to 0, there is no maximum. Guaranteed Bandwidth• The minimum amount of bandwidth to guarantee for traffic that uses

this action.

• If set to 0, there is no guaranteed bandwidth.

• It is possible to configure policies with combined guaranteed bandwidth that exceeds the available bandwidth.

• The bandwidth can be guaranteed only if the combined guaranteed bandwidth for all concurrent traffic does not exceed the available bandwidth.

If the device is configured for Multi-WAN with the Round Robin or Routing Table options, the total available bandwidth is the aggregate interface bandwidth (the sum of the external bandwidth for each interface).

WatchGuard Training 3333

Page 34: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Action SettingsTraffic Management Action Settings

Maximum Instance — For Per IP Address actions only• The maximum number of individual source IP addresses that the bandwidth

constraints in the action can apply to.

• If the number of concurrent source IP addresses that use a Per IP Address action is larger than the Maximum Instance, multiple source IP addresses share the bandwidth specified in the action.

A round-robin algorithm determines which source IP addresses share bandwidth.

Recently connected source IP addresses share bandwidth with source IP addresses that have been connected longest.

WatchGuard Training 3434

Page 35: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Action TypesTraffic Management Action Types

Consider the effect of a Traffic Management action with a maximum bandwidth of 1 Mbps, applied to four policies.

If the action type is All Policies, all four policies share the defined 1Mbps maximum bandwidth, if it is available.

If the action type is Per Policy, each of the four policies individually can use the defined 1 Mbps maximum bandwidth, if it is available.

If the action type is Per IP Address, each source IP address for traffic handled by any of the four policies can use the defined 1 Mbps maximum bandwidth, if it is available.

WatchGuard Training 3535

Page 36: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management in PoliciesTraffic Management in Policies

In a policy, you can configure a separate Traffic Management action for traffic in each direction.• Forward Action — Applies to traffic

that originates from the From list (source)

• Reverse Action — Applies to traffic that originates from the To list (destination)

If a policy uses the same action for both directions, the action applies to the combined bandwidth of traffic in both directions.

WatchGuard Training 3636

Page 37: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management in Application CategoriesTraffic Management in Application Categories

You can apply Traffic Management actions to Application Control applications and application categories.

For an application, if you set the action for all behaviors or for specific behaviors to Allow, you can optionally enable Traffic Management and select a Traffic Management action to apply to the allowed traffic.

WatchGuard Training 3737

Page 38: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management for Application CategoriesTraffic Management for Application Categories

You can apply Traffic Management actions to an application category.

All applications in the category share the bandwidth specified in the Traffic Management action.

WatchGuard Training 3838

Page 39: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management for Application CategoriesTraffic Management for Application Categories

WatchGuard Training 3939

If you assign a Per-IP Address Traffic Management action to multiple applications or categories, all applications in those categories share the bandwidth allocated independently to each source IP address.

Page 40: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Action PrecedenceTraffic Management Action Precedence

If more than one Traffic Management action could apply to traffic, the XTM device applies the most specific action.

Traffic Management actions from most specific to least specific are:1. Application2. Application category3. Policy

WatchGuard Training 4040

Page 41: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management — MonitoringTraffic Management — Monitoring

Traffic Management statistics and graphs are available in:• Firebox System Manager — Traffic Management tab

• Fireware XTM Web UI — System Status > Traffic Management page

The chart shows statistics for the selected action. In Firebox System Manager, hover over the action name to see the

list of policies, applications, and source IP addresses it applies to. Expand a Per-IP action to see statistics for each source IP address.

WatchGuard Training 4141

Page 42: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management — MonitoringTraffic Management — Monitoring

WatchGuard Training 4242

Page 43: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 1Traffic Management Use Case 1

Limit HTTP for all users on the Trusted interface; allow 2 Mbps maximum download bandwidth, and 1 Mbps upload bandwidth.1. Configure an HTTP policy for traffic From: Trusted, To: Any-External.2. Add a Per Policy Traffic Management action with Maximum 1 Mbps.3. Add a Per Policy Traffic Management action with Maximum 2 Mbps.4. In the HTTP policy:

Set the Forward Action to the action with the 1 Mbps maximum to limit uploads Set the Reverse Action to the action with the 2 Mbps maximum to limit

downloads

WatchGuard Training 4343

Page 44: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 2Traffic Management Use Case 2

Guarantee 10 Mbps throughput for HTTP traffic for a specific user.1. Add a Per Policy Traffic Management action with 10 Mbps Guaranteed

bandwidth2. Create an HTTP policy for traffic From: <username> To: Any-External.3. Use the Traffic Management action as both the Forward Action and

Reverse Action in the HTTP policy.

WatchGuard Training 4444

Page 45: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 3Traffic Management Use Case 3

Set a maximum and guaranteed bandwidth for each IP address, without creating a separate policy for each user.1. Create a policy for the traffic from the list of users. 2. Add a Per IP Address Traffic Management action with the guaranteed

and maximum bandwidth settings.3. Use the Traffic Management action in the policy as both the Forward

and Reverse action.

WatchGuard Training 4545

Page 46: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 4Traffic Management Use Case 4

Limit or guarantee the bandwidth used by specific applications.1. Add a Traffic Management action to limit or guarantee bandwidth.2. Configure Application Control to use the

Traffic Management action for each application. 3. Enable Application Control in the policy that

handles traffic for the application.

WatchGuard Training 4646

Page 47: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 5Traffic Management Use Case 5

Limit HTTP bandwidth for a group to 2 Mbit per user in the group. But limit the bandwidth used by streaming media applications to 100 Kbit per user.

1. Add a Traffic Management Per IP Address action TM.2M with 2 Mbps Maximum bandwidth.

2. Create an HTTP policy for the group and use the Traffic Management action. From: <group name> To: Any-External. Use TM.2M as the Forward Action and the Reverse Action for Traffic

Management

WatchGuard Training 4747

Page 48: What’s New in Fireware XTM v11.9 WatchGuard Training

Traffic Management Use Case 5Traffic Management Use Case 5

3. Add a Traffic Management Per IP Address actionTM.100K with 100 Kbps Maximum bandwidth

4. Use the TM.100K action for the Streaming Media application category in Application Control.

5. Enable the HTTP policyto use the ApplicationControl action.

WatchGuard Training 4848

Page 49: What’s New in Fireware XTM v11.9 WatchGuard Training

Custom InterfaceCustom Interface

WatchGuard Training 4949

Page 50: What’s New in Fireware XTM v11.9 WatchGuard Training

Custom InterfaceCustom Interface

Fireware XTM v11.9 introduces a new interface type called Custom.• Use a custom interface to define a custom security zone that is separate

from the predefined trusted, optional, and external zones.

• A custom interface is not a member of the built-in aliases: Any-Trusted, Any-Optional, or Any-External.

• Traffic for a custom interface is not handled by the default policies that use these aliases.

You must create or edit policies to handle traffic for a custom interface.• You can use the interface name (alias) in policies.

• Or, add the interface name to another alias that you use in policies. You can configure any of these interface types as a custom interface:

• Physical interface

• Wireless interface

• Network bridge

• VLAN interface

• Link Aggregation interfaceWatchGuard Training 5050

Page 51: What’s New in Fireware XTM v11.9 WatchGuard Training

Custom InterfaceCustom Interface

A custom interface supports all the same settings as a trusted or optional interface.

WatchGuard Training 5151

Page 52: What’s New in Fireware XTM v11.9 WatchGuard Training

Custom InterfaceCustom Interface

WatchGuard Training 5252

To create a wireless guest network that fully separates traffic for wireless clients from your trusted and optional networks, you can configure a Wireless Access Point as a custom interface.

Page 53: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller &Gateway Wireless Controller &Wireless APWireless AP

WatchGuard Training 5353

Page 54: What’s New in Fireware XTM v11.9 WatchGuard Training

WatchGuard AP Firmware 1.2.9.1WatchGuard AP Firmware 1.2.9.1

Supports new AP102 Indoor/Outdoor Device Model New Gateway Wireless Controller options• LED Pairing status indicator

• Disable LEDs

• Disable DFS Channels

• Use Outdoor Channels only

• Transmit Power

• SSH Access New Gateway Wireless Controller Monitoring options• Flash LEDs

• Restart Wireless

• Secondary channel display AP Wireless Maps

WatchGuard Training 5454

Page 55: What’s New in Fireware XTM v11.9 WatchGuard Training

AP102 Outdoor Access PointAP102 Outdoor Access Point

WatchGuard Training 5555

Identical in specifications to the AP100 single radio model.

Special design for low-profile deployment in indoor or outdoor environment:• Internal antennas

• Water-resistant case

• Minimalist labeling

• Small LEDs Includes mounting kit for

mounting outdoors to a pole or other structure.

Page 56: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — New OptionsGateway Wireless Controller — New Options

Disable LEDs• Operates your AP device in

stealth mode to hide the use of wireless activity when the device is deployed in a location that requires additional security.

Use Outdoor Channels Only• Enabled by default for AP102

outdoor wireless devices. Disable DFS Channels

• DFS channels are used with radar and your AP device will stop transmitting if radar signals are detected on that channel. This option disables these channels to prevent interference.

WatchGuard Training 5656

Page 57: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — Transmit PowerGateway Wireless Controller — Transmit Power

TX Power• For each radio, you can

optionally set the maximum transmit power to limit or expand the transmission distance of your wireless signals.

• You can set the transmit power between 3 dBm to 20 dBm, or set the value to Auto.

• The default (Auto) is 20 dBm.

• The transmit power cannot exceed the regulatory limits set by your region.

WatchGuard Training 5757

Page 58: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — SSH AccessGateway Wireless Controller — SSH Access

SSH Access on WatchGuard APs• Can be used by technical

support.

• Disabled by default for security reasons.

• Only enable if requested by technical support.

WatchGuard Training 5858

Page 59: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — MonitoringGateway Wireless Controller — Monitoring

Flash Power LED• You can flash the power LED on a specific AP device to help with

identification of a particular device.

• This utility is useful if you use the Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless activity.

Restart Wireless• You can restart the wireless interfaces without having to reboot the

device.

• Allows auto channel selection to set a new channel if you have interference.

WatchGuard Training 5959

Page 60: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — MonitoringGateway Wireless Controller — Monitoring

Secondary channel display• Secondary channel information for each radio, if available, is now

displayed in the Gateway Wireless Control monitoring page and in the site survey.

WatchGuard Training 6060

Page 61: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — MapsGateway Wireless Controller — Maps

In Fireware XTM Web UI, use the Maps tab on the Dashboard > Gateway Wireless Controller page to help you visualize your wireless environment, determine where to place your AP devices, and how to best configure them for your network environment.

Two views: • Wireless Coverage Map — Shows the location of your Access Point

devices in relation to one another.

• Channel Conflict Map — Shows the location of your Access Point devices and any other wireless devices in the vicinity and shows the channel and bandwidth details for each device.

Select which radio bands to show on the maps:• 2.4 GHz

• 5 GHz Select which SSIDs to show on the maps. Enable the Sticky Access Points option to anchor the AP devices to

a place on the mapWatchGuard Training 6161

Page 62: What’s New in Fireware XTM v11.9 WatchGuard Training

Gateway Wireless Controller — MapsGateway Wireless Controller — Maps

WatchGuard Training 6262

Page 63: What’s New in Fireware XTM v11.9 WatchGuard Training

XTM WirelessXTM Wireless

WatchGuard Training 6363

Page 64: What’s New in Fireware XTM v11.9 WatchGuard Training

XTM Wireless Interface ChangesXTM Wireless Interface Changes

You can now use an XTM Wireless Interface with any network.• No longer limited to

Trusted/Optional and Guest network.

Any interface can be used as a Guest network.

Previous Guest network interface renamed Access point 3.

You can choose Trusted, Optional, Bridge, VLAN, or Custom (new) interface

WatchGuard Training 6464

Page 65: What’s New in Fireware XTM v11.9 WatchGuard Training

XTM Wireless Guest Network and Custom InterfaceXTM Wireless Guest Network and Custom Interface

To enable a wireless network for guest users, you can configure an access point in the Custom zone.

Custom is separate from the predefined trusted, optional, and external zones.

A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External.

Traffic for a custom interface is not handled by the default policies that use these aliases.

Use the wireless interface alias in policies that you want to handle traffic from wireless clients so they cannot access Trusted or Optional networks.

WatchGuard Training 6565

Page 66: What’s New in Fireware XTM v11.9 WatchGuard Training

VPN EnhancementsVPN Enhancements

WatchGuard Training 6666

Page 67: What’s New in Fireware XTM v11.9 WatchGuard Training

IPSec VPN — Diffie-Hellman Group SupportIPSec VPN — Diffie-Hellman Group Support

Fireware XTM v11.9 adds support for more secure Diffie-Hellman groups:• DH Group 14: 2048-bit group

• DH Group 15: 3072-bit group

• DH Group 19: 256-bit elliptic curve group

• DH Group 20: 384-bit elliptical curve group You can use these Diffie-Hellman groups when you configure:• Branch Office VPN

• BOVPN virtual interface

• Mobile VPN with IPSec

• Mobile VPN with L2TP

WatchGuard Training 6767

Page 68: What’s New in Fireware XTM v11.9 WatchGuard Training

Enable/Disable Branch Office VPNsEnable/Disable Branch Office VPNs

You can now disable and enable BOVPN gateways and BOVPN virtual interfaces.

When a BOVPN is disabled:• You can still edit BOVPN gateway, tunnel,

and virtual interface settings

• The tunnels associated with a disabled BOVPN gateway are disabled.

• Disabled tunnel routes do not appear in the Status Report.

• BOVPN virtual interface routes are not added to the routing table.

• Disabled tunnels and BOVPN virtual interfacesare disabled in the BOVPN-Allow.out and BOVPN-Allow.in policies, and in any other policies that use them.

WatchGuard Training 6868

Page 69: What’s New in Fireware XTM v11.9 WatchGuard Training

Mobile VPN with SSLMobile VPN with SSL

If you configure Mobile VPN with SSL to use more than one authentication server, the user can now select the authentication server from the Domain drop-down list on the SSLVPN authentication page .

This change affects the SSLVPN.html page where users download a Mobile VPN for SSL client — https://<interface-ip-address>/sslvpn.html

WatchGuard Training 6969

Page 70: What’s New in Fireware XTM v11.9 WatchGuard Training

Mobile VPN with SSL — Auto Reconnect SettingMobile VPN with SSL — Auto Reconnect Setting

The authentication settings for Mobile VPN with SSL now include an option to control whether the Mobile VPN with SSL client automatically reconnects.• The setting to force users

to authenticate after aconnection is lost isavailable only after theauto reconnect option isenabled.

• If the auto reconnectoption is enabled in the device configuration, the v11.9 Mobile VPN with SSL client has a check box that lets the user control whether the client automatically reconnects.

WatchGuard Training 7070

Page 71: What’s New in Fireware XTM v11.9 WatchGuard Training

Mobile VPN with SSL ClientMobile VPN with SSL Client

The v11.9 Mobile VPN with SSL client has two new check boxes.• Automatically reconnect

This check box appears in the client only if the “Auto connect after a password is lost” option is enabled in the Mobile VPN with SSL authentication settings on the Firebox or XTM device.

When this check box is selected, the client automatically tries to reconnect after a connection was lost.

• Remember password This check box appears in the client

only if the “Allow the Mobile SSL with VPN client to remember the password”option is enabled in the Mobile VPN with SSL settings on the Firebox or XTM device .

When this check box is selected, the client remembers the password used for the previous connection.

WatchGuard Training 7171

Page 72: What’s New in Fireware XTM v11.9 WatchGuard Training

Mobile VPN with SSL — Bridge VPN Traffic to a Mobile VPN with SSL — Bridge VPN Traffic to a BridgeBridge The Mobile VPN with SSL Bridge VPN Traffic option now requires

that you first configure a network bridge. • The Bridge to interface

drop-down list now includes only bridge interfaces.

Fireware XTM v11.8.x and lowerdid not support bridging VPN traffic to a network bridge.• When you upgrade to v11.9

from an earlier version, ifMobile VPN with SSL wasconfigured to bridge VPN trafficto an interface, the upgrade process automatically createsa new bridge that includes theinterface.

WatchGuard Training 7272

Page 73: What’s New in Fireware XTM v11.9 WatchGuard Training

Mobile VPN with SSL — SHA AuthenticationMobile VPN with SSL — SHA Authentication

The SHA authentication algorithm is no longer supported for Mobile VPN with SSL.

Supported authentication methods are:• MD5

• SHA-1

• SHA-256

• SHA-512

WatchGuard Training 7373

Page 74: What’s New in Fireware XTM v11.9 WatchGuard Training

FireClusterFireCluster

WatchGuard Training 7474

Page 75: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — Web UI SupportFireCluster — Web UI Support

You can now use the Fireware XTM Web UI to connect to a FireCluster. • To connect to the Web UI for a FireCluster on an interface IP address:

https://<interface-IP-address>:8080

• To connect to an individual cluster member, use the management IP address: https://<cluster-member-management-ip-address>:8080

On the Front Panel page, you can see the name of the cluster member you are connected to. If you connected to an interface IP address, this is the name of the current cluster master.

WatchGuard Training 7575

Page 76: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — Web UI SupportFireCluster — Web UI Support

When connected to the cluster master, you can make any type of configuration change you could make to a non-clustered device.• Configuration changes are automatically synchronized with the backup

master. You cannot use the Fireware XTM Web UI to:

• Enable or disable a FireCluster or change FireCluster settings

• Force a FireCluster member to fail over

• Make a member join or leave a cluster

• Discover a cluster member

• Monitor cluster health

• Upgrade both members of a cluster When connected to the backup master, you can:

• Upgrade the Fireware XTM OS on the backup master

• Save or restore a backup image to the backup master

• Reboot the backup master

• Update subscription services signatures on the backup master

WatchGuard Training 7676

Page 77: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — Web UI SupportFireCluster — Web UI Support

When you connect to the Web UI for the cluster master, most pages show combined information and statistics for both cluster members.

There are two pages that show information for only one member at a time.• Dashboard > Traffic Monitor

• System Status > Traffic Management Information about the cluster master is shown by default. Use the drop-down list to select the cluster member to monitor.

WatchGuard Training 7777

Page 78: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — Link Monitoring ControlFireCluster — Link Monitoring Control

WatchGuard Training 7878

For an active/passive cluster, you can now control which interfaces are monitored for link status as criteria for failover.

All enabled interfaces aremonitored by default.

To disable link monitoringfor an interface, clear thecheck box in the Monitor Link column.

WatchGuard recommends that you monitor the link status ofall enabled interfaces.

Page 79: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — PPPoE SupportFireCluster — PPPoE Support

WatchGuard Training 7979

You can now enable an active/passive FireCluster when the external interface uses PPPoE.

The option to configure an active/active cluster is not available if external interfaces use PPPoE

If the external interface uses PPPoE, you cannot select the external interface as the FireCluster interface for management IP address.

Page 80: What’s New in Fireware XTM v11.9 WatchGuard Training

FireCluster — VLAN or Bridge for Management FireCluster — VLAN or Bridge for Management Interface Interface You can now select a bridge or VLAN interface as the the

FireCluster management interface.

WatchGuard Training 8080

Page 81: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6IPv6

WatchGuard Training 8181

Page 82: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6 in Bridge, Link Aggregation, and VLAN IPv6 in Bridge, Link Aggregation, and VLAN interfacesinterfaces IPv6 IP addresses are now supported in Bridge, Link Aggregation,

and VLAN interfaces. IPv6 settings are the same as for IPv6 on a physical interface.

WatchGuard Training 8282

Page 83: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6 in Bridge, Link Aggregation, and VLAN IPv6 in Bridge, Link Aggregation, and VLAN interfacesinterfaces You can now create IPv6 static routes to Bridge, Link Aggregation,

and VLAN interfaces that have IPv6 enabled. When you add the IPv6 static route, you can specify the interface

to route through. The list of interfaces now includes Bridge, Link Aggregation, and VLAN interfaces, in addition to physical interfaces.

WatchGuard Training 8383

Page 84: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6 Dynamic RoutingIPv6 Dynamic Routing

Fireware XTM now supports IPv6 dynamic routing protocols.• RIPng (next generation)

• OSPFv3

• BGP v4 The dynamic routing configuration has

two new tabs.• RIPng

• OSPFv3 There is no new tab for BGP, but you can

now use IPv6 commands in the BGP tab. When you enable RIPng or OSPFv3,

new dynamic routing policies are automatically created to allow the traffic.• DR-RIPng-Allow

• DR-OSPFv3-Allow

WatchGuard Training 8484

Page 85: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6 Dynamic Routing — LimitationsIPv6 Dynamic Routing — Limitations

Two OSPFv3 commands are not supported• Area

• Access list

WatchGuard Training 8585

Page 86: What’s New in Fireware XTM v11.9 WatchGuard Training

IPv6 BOVPN Virtual Interface Tunnel RoutesIPv6 BOVPN Virtual Interface Tunnel Routes

You can now add IPv6 BOVPN virtual interface tunnel routes. This enables you to route IPv6 traffic through an IPv4 BOVPN

tunnel between two Firebox or XTM devices. An IPv6 BOVPN virtual interface route is a 6in4 tunnel route

that uses a GRE tunnel within the IPSec BOVPN tunnel.

WatchGuard Training 8686

Page 87: What’s New in Fireware XTM v11.9 WatchGuard Training

Role-based Device User Accounts For Role-based Device User Accounts For Management & AuditingManagement & Auditing

WatchGuard Training 8787

Page 88: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — ManageDevice Management User Accounts — Manage

You can now configure additional user accounts on your Firebox or XTM device to allow users to log in to a device with their own user accounts to manage and monitor the device.

There are two available roles you can assign to users:• Device Administrator

• Device Monitor Each device has three default user accounts:• status — The default Device Monitor user account

• admin — The default Device Administrator user account

• wgsupport — The default user account for WatchGuard Technical Support. This user account is disabled by default. You can enable it to allow a WatchGuard Technical Support representative to connect to your device.

Add, edit, or delete user accounts.• You cannot delete the three default user accounts. You can only change

the passphrase for the default accounts.

WatchGuard Training 8888

Page 89: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — ManageDevice Management User Accounts — Manage

In Policy Manager, select File > Manage Users and Roles.• If you’re logged in to the device with a Device Monitor user account,

you must type an Administrator passphrase before the Manage Users and Roles dialog box will open..

WatchGuard Training 8989

Page 90: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — ManageDevice Management User Accounts — Manage

In Fireware XTM Web UI, select System > Users and Roles.• You must log in with a user account that has Device Administrator

privileges.

WatchGuard Training 9090

Page 91: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — AuditDevice Management User Accounts — Audit

New user accounts enable you to see which users have connected to the device to make configuration changes and what changes each user made to the device configuration.

In Fireware XTM Web UI, on the System Status > Users and Roles page, you can see the list of users logged in to the device.• Users with Device Administrator privileges can log off users with Device

Monitor privileges.

WatchGuard Training 9191

Page 92: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — AuditDevice Management User Accounts — Audit

In FSM on the Authentication List tab, you can see which users are logged in to the device, and open the Management Users dialog box to see the total number of connected Device Management users.

WatchGuard Training 9292

Page 93: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — AuditDevice Management User Accounts — Audit

In WatchGuard Report Manager and WatchGuard Dimension, you can run a report that includes a list of the configuration changes made to your device and the user account that made the changes.• In WatchGuard Report Manager, run a Firebox Reports > Audit Trail

report.

• In WatchGuard Dimension, select a Device > Audit Trail report.

WatchGuard Training 9393

Page 94: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Management User Accounts — LoginDevice Management User Accounts — Login

If you have more than one authentication server configured on your Firebox or XTM device, when you log in to the device, you must select the authentication server for the user credentials you specify.

WatchGuard Training 9494

Page 95: What’s New in Fireware XTM v11.9 WatchGuard Training

Logging EnhancementsLogging Enhancements

WatchGuard Training 9595

Page 96: What’s New in Fireware XTM v11.9 WatchGuard Training

Configure Syslog Settings for QRadarConfigure Syslog Settings for QRadar

WatchGuard Training 9696

You can configure your Firebox or XTM device to send syslog log messages to your QRadar server for Integration with IBM’s SIEM system.

In Policy Manager, in the Logging Setup dialog box, configure the Syslog Server settings to specify your QRadar server and select IBM LEEF for the Log format.

Page 97: What’s New in Fireware XTM v11.9 WatchGuard Training

Configure Syslog Settings for QRadarConfigure Syslog Settings for QRadar

WatchGuard Training 9797

In Fireware XTM Web UI, select System > Logging, and configure the Syslog Server settings to specify your QRadar server and select IBM LEEF for the Log Format.

Page 98: What’s New in Fireware XTM v11.9 WatchGuard Training

Review Log Files for SSO ComponentsReview Log Files for SSO Components

When you use Telnet to enable logging for the SSO Agent, the SSO Agent, Event Log Monitor, and Exchange Monitor all send log messages to log files, which you can review for information about the events on each SSO component.• SSO Agent — wagsrvc.log

• Event Log Monitor — eventlogmonitor.log

• Exchange Monitor — exchangemonitor.log The log files are found in the installation directory for each SSO

component:• 64-bit servers — C:\Program Files(x86)\WatchGuard\WatchGuard

Authentication Gateway

• 32-bit servers — C:\Program Files\WatchGuard\WatchGuard Authentication Gateway

WatchGuard Training 9898

Page 99: What’s New in Fireware XTM v11.9 WatchGuard Training

Authentication EnhancementsAuthentication Enhancements

WatchGuard Training 9999

Page 100: What’s New in Fireware XTM v11.9 WatchGuard Training

User Lock Out for HotspotsUser Lock Out for Hotspots

When you configure the settings for the hotspot on your Firebox or XTM device, and select a Custom Page hotspot, you can specify the amount of time users cannot connect to the hotspot after their sessions expire.

In the User Locked Out setting, specify the amount of time in seconds, minutes, hours, or days that users are prohibited from reconnecting to the hotspot.

To allow users to always reconnect and never lock users out, specify a value of 0.

WatchGuard Training 100100

Page 101: What’s New in Fireware XTM v11.9 WatchGuard Training

User Lock Out for HotspotsUser Lock Out for Hotspots

WatchGuard Training 101101

Page 102: What’s New in Fireware XTM v11.9 WatchGuard Training

Authentication Server TimeoutAuthentication Server Timeout

When you use an Active Directory server or an LDAP server for authentication, you can specify the Timeout value to configure the amount of time the Firebox or XTM device waits for a response from the authentication server before it closes the connection and tries to connect again.

For PhoneFactor authentication, you can configure the timeout value in the authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. The timeout value must be more than 10 seconds.

WatchGuard Training 102102

Page 103: What’s New in Fireware XTM v11.9 WatchGuard Training

Authentication Server TimeoutAuthentication Server Timeout

WatchGuard Training 103103

Page 104: What’s New in Fireware XTM v11.9 WatchGuard Training

Other EnhancementsOther Enhancements

WatchGuard Training 104104

Page 105: What’s New in Fireware XTM v11.9 WatchGuard Training

Device Feedback EnhancementsDevice Feedback Enhancements

Device feedback now includes additional information:• The geographic distribution of Fireware XTM OS versions.

• Summarized information from each device about which features and services are used.

• Threats that are intercepted.

• Device health and performance. Feedback is now sent once every six days and when the device is

rebooted.

WatchGuard Training 105105

Page 106: What’s New in Fireware XTM v11.9 WatchGuard Training

Bandwidth Statistics for Wireless InterfacesBandwidth Statistics for Wireless Interfaces

WatchGuard Training 106106

In Fireware XTM Web UI, on the Dashboard Interfaces page, Bandwidth tab, the Wireless Interfaces chart includes with the bytes sent and bytes received through the wireless interfaces on your Firebox or XTM device.

Page 107: What’s New in Fireware XTM v11.9 WatchGuard Training

Static ARP EnhancementsStatic ARP Enhancements

You can now add static ARP entries for Bridge, VLAN, and Link Aggregation interfaces

You can now configure static ARP entries in the Web UI.

WatchGuard Training 107107

Page 108: What’s New in Fireware XTM v11.9 WatchGuard Training

DHCP Option 50 SupportDHCP Option 50 Support

The DHCP server now responds to DHCP Option 50 requests (DHCP requested IP) from DHCP clients.

Because this is a DHCP client request option, there are no changes to the DHCP server option in the interface configuration.

WatchGuard Training 108108

Page 109: What’s New in Fireware XTM v11.9 WatchGuard Training

OSPF ECMP RoutingOSPF ECMP Routing

The OSPF dynamic routing protocol now supports ECMP (Equal Cost Multi-Path) routing.• ECMP support is enabled by default. There are no new OSPF dynamic

routing commands required to enable it.

• The ECMP algorithm depends on the source and destination IP addresses of the traffic. You need at least two traffic flows with different source or destination IP addresses for ECMP load balancing to function.

WatchGuard Training 109109

Page 110: What’s New in Fireware XTM v11.9 WatchGuard Training

Thank You!Thank You!

WatchGuard Training 110110